From a39ca113ecf6ae4bd55b193054a947a84be9a257 Mon Sep 17 00:00:00 2001 From: Kerrie Niemasik Date: Wed, 9 Nov 2022 15:06:55 -0500 Subject: [PATCH] fix: remove newline entities (#46) * fix: remove newline entities * strip out tabs and newlines * not decoding, so just replace * update changelog --- CHANGELOG.md | 3 +++ src/__tests__/test.ts | 6 ++++++ src/index.ts | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e12bc9e..e1a4dff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # CHANGELOG +## unreleased +- Fix issue where urls in the form `https://example.com /something` were not properly sanitized + ## 6.0.1 - Fix issue where urls in the form `javascript:alert('xss');` were not properly sanitized diff --git a/src/__tests__/test.ts b/src/__tests__/test.ts index 365dd17..08720ba 100644 --- a/src/__tests__/test.ts +++ b/src/__tests__/test.ts @@ -92,6 +92,12 @@ describe("sanitizeUrl", () => { ); }); + it("removes newline entities from urls", () => { + expect(sanitizeUrl("https://example.com /something")).toBe( + "https://example.com/something" + ); + }); + it("decodes html entities", () => { // all these decode to javascript:alert('xss'); const attackVectors = [ diff --git a/src/index.ts b/src/index.ts index 3852569..5f96750 100644 --- a/src/index.ts +++ b/src/index.ts @@ -1,6 +1,6 @@ const invalidProtocolRegex = /^([^\w]*)(javascript|data|vbscript)/im; const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g; -const htmlTabEntityRegex = /&tab;/gi; +const htmlCtrlEntityRegex = /&(newline|tab);/gi; const ctrlCharactersRegex = /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim; const urlSchemeRegex = /^.+(:|:)/gim; @@ -12,7 +12,6 @@ function isRelativeUrlWithoutProtocol(url: string): boolean { // adapted from https://stackoverflow.com/a/29824550/2601552 function decodeHtmlCharacters(str: string) { - str = str.replace(htmlTabEntityRegex, " "); return str.replace(htmlEntitiesRegex, (match, dec) => { return String.fromCharCode(dec); }); @@ -20,6 +19,7 @@ function decodeHtmlCharacters(str: string) { export function sanitizeUrl(url?: string): string { const sanitizedUrl = decodeHtmlCharacters(url || "") + .replace(htmlCtrlEntityRegex, "") .replace(ctrlCharactersRegex, "") .trim();